ejs - RCE (CVE-2023-29827)

CVE-2023-29827 is a vulnerability in ejs v3.1.9 allows for server-side template injection if an attacker can control the EJS file and manipulate the closeDelimiter parameter. This flaw could potentially be exploited for remote code execution (RCE), enabling attackers to run arbitrary code on the server. However, the vendor disputes the risk, noting that the render function is not intended for use with untrusted input.

CrowdSec has been tracking this vulnerability and its exploits since 30th of June 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2023-29827 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. In addition, according to the CrowdSec network, attack volume against CVE-2023-29827 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit this vulnerability by injecting malicious JavaScript code into the settings[view options][closeDelimiter] parameter of the /page endpoint, enabling remote code execution via EJS template injection.